CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39216 – Combodo iTop's weak password reset token leads to account takeover
https://notcve.org/view.php?id=CVE-2022-39216
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229 https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39214 – Authenticated users of Combodo iTop can take over any account
https://notcve.org/view.php?id=CVE-2022-39214
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4 • CWE-863: Incorrect Authorization •
CVSS: 9.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-41162 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2021-41162
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0 https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-41161 – XSS in csvimport in 3.0.0-beta versions
https://notcve.org/view.php?id=CVE-2021-41161
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue. Combodo iTop es una herramienta de administración de servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22 https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24811 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24811
Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds. Combodi iTop es una herramienta de Administración de Servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4 https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc https://huntr.dev/bounties/1625056478879-Combodo/iTop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •